GreenSky

GreenSky faced the following challenges:

• Cumbersome workflows dictated a more microservices approach allowing the DevOps team to deploy a continuous delivery of complex applications.
• Recognized the need to automate and secure processes vs. their monolithic and siloed approach that resulted in piecemeal development and production.
• Align and reconcile priorities between DevOps and Security teams to “Shift Left” so deadlines are met while improving quality and reducing defects during the software development lifecycle (SDLC).
• Required detection and remediation of Java code vulnerabilities and other open source dependencies in applications.

Inherent during the growth of any software company is the necessity to streamline and secure the SDLC so that all key stakeholders are seamlessly aligned throughout the entire DevOps process—from initial code builds to post-production.

GreenSky is no exception to this process, finding itself in need of inter-department collaboration as they started migrating critical capabilities like application security to the cloud. Continual, manual processes and complex workflows quickly gave rise to a transition to a DevOps mindset and technology processes that are reliable and repeatable — these are the hallmarks of security automation.

Previously, the use of manual static (SAST) and dynamic (DAST) testing tools, and the need for security reviews would delay agile sprints in development, frustrating stakeholders like project owners. Additionally, the cultural differences and priorities between development teams (who value product features and hi-velocity releases), and security operations teams (who value code stability and security) often find each other at odds over these priorities — causing friction between these groups.

Contrast Assess has democratized this continuous review process, allowing teams to integrate security into their existing tools in order to make more informed decisions resulting in secure code releases. It also addresses the numerous industry audits, compliance, and regulations that need to be observed.

Before GreenSky shifted their software development to a hosted cloud environment, they were using VMware on premises. Realizing this approach wouldn’t be sustainable for the long-term, they then migrated their stack directly into Amazon’s EC2 platform with nominal changes to the existing architecture.

Shortly after, they started optimizing their application structure from a monolithic style to a more lightweight microservices approach deployed across various smaller EC2 containers, using fewer resources than previous virtual machines.

GreenSky’s transformation strategy migrated legacy services into Docker (managed with Chef), and then placed everything in ECS/Fargate, the compute engine for deploying and managing containers for ECS. Developers were able to get Contrast to integrate into the Docker images and environmental variables were handled via the Jenkins pipeline. This allowed for a seamless migration to ECS/Fargate. The process can now migrate to a serverless framework by harnessing the benefits of AWS Lambda - provisioning resources while working in concert with Contrast to implement the capabilities of Contrast Assess.

Incorporation of automated AppSec for faster builds

Prior to deploying Contrast Assess, a security risk assessment had to be performed on every component at every stage of the SDLC (Dev, QA, UAT, Production) siphoning valuable time and resources. Now that development teams are running code with Contrast Security, developers can weave in security with Contrast as they write code.

Saving time: Freeing up around 10 hours a week for 2-3 people to focus on other security related work. Gaining visibility sooner: Vulnerabilities are found much earlier, eliminating unforeseen and last-minute roadblocks for quicker deployment.
Getting results faster: Starting each project with secure coding in mind, developers can see their results almost immediately with the IDE plugin.

Results

• Successfully migrated from on-premises to the AWS cloud.
• Automated key capabilities such as deployments (AppSec), and documentation (artifacts and binary repositories).
• Dockerizing via AWS for greater agility and speed. Containerized applications can scale incredibly fast, making it easy for delivery teams to pivot between frameworks.
• DevOps tools were consolidated, reducing time and wasted resources to ensure code is more effectively deployed.
• QA is provided visibility into the routes that had been exercised during testing via the Contrast Console.
• Library analysis and updates are now more easily managed and inventoried.
• Integrating Contrast with their CI/CD pipeline tools (Jenkins) as well as an orchestration tool (Chef) that also manage core AWS components.

As an innovative Fintech company, GreenSky can now accelerate its time-to-market with secure applications that were paramount to highlighting business value, operational efficiencies, flexibility and overall success. Migrating to the cloud via Amazon Web Services (AWS) and augmenting application security with Contrast helped GreenSky achieve these major strategic initiatives. By implementing Contrast Assess as part of their secure DevOps program, GreenSky established a shared responsibility model that helps galvanize and integrate security into existing workflows. As a result, this allowed GreenSky to bring their digital financial ecosystem model to the market faster and securely to meet their customer demands.